Banking Malware uses Fake reCAPTCHA page to target banking customers

A fake Google reCAPTCHA is one of the latest email campaigns to target a Polish bank. Sucuri researchers reported their discovery on Thursday via its blog.

How it works

Victims are typically targeted emotionally as hackers play on the urgent feeling a user gets when receiving an email relating to their financial affairs. They receive a fake confirmation email requesting them to confirm a recent transaction they carried out. As the hacker sends generalised emails, it is not specific to an actual transaction. This email will contain an attachment with a malicious.PHP file. PHP files are often used as web page files to generate HTML from a PHP engine running on a web server. The hacker will obfuscate their malicious content hidden within, to search the current directory of files with the same extensions. In this instance, the malicious email contains a log which takes the users login and serves a fake 404 error page to users with defined user agents

Where the Google reCAPTCHA replica page comes in

When a request goes through the user-agent filter, the PHP code loads a fake reCAPTHCA and determines which malware to put on users’ machines. It loads the fake page by using a combination of HTML elements and JavaScript. As these elements are static, the only way a user will be able to tell the page is fake is the fact that the still images remain the same. The only time it changes is if the malicious PHP file’s coding changes. Another way to spot the difference is to play the audio. With the fake page, this will not work.

When determining whether to put the .zip dropper or an .apk type malware on the users’ device, the PHP rechecks the user-agent. The .apk type malware will, for example, download it detects the users’ device runs on Android.

Upon the malware storing itself on a users’ device, it starts to intercept SMS multifactor authentication and further steals credentials.